Governance Research

The Authorization Gap in Agentic AI: Why Runtime Controls Alone Will Not Solve Enterprise Governance

The launch of the Agent Control Standard (ACS) in May 2026 represents a meaningful step forward in agent governance. However, according to new research from Futurum Group, ACS and similar runtime enforcement mechanisms are necessary but insufficient. The deeper problem lies in the structural gap between goal-level human authorization and action-level accountability in goal-directed agents. Because agents can infer and execute actions that were never explicitly authorized, traditional control layers cannot reconstruct what was never recorded. Compounding this challenge, platform economics strongly favor fragmentation over convergence at the governance layer. As a result, organizations chasing universal coverage are optimizing for an outcome the market structure makes unlikely. The report recommends shifting focus from elimination to shrinkage — continuously reducing ungoverned exposure below an existential threshold — while investing in prospective authorization architectures and cross-platform aggregation layers.

Updated on June 26, 2026
The Authorization Gap in Agentic AI: Why Runtime Controls Alone Will Not Solve Enterprise Governance

The rapid rise of goal-directed AI agents has exposed a fundamental weakness in how enterprises currently approach governance. While significant attention has been paid to building runtime controls and policy enforcement layers, a new analysis from Futurum Group argues that the industry may be solving the wrong problem — or at least, only solving part of it.

In the report titled "The Hard(er) Challenge in Agent Governance Is Authorization", analyst Fernando Montenegro contends that initiatives like the Agent Control Standard (ACS), launched in May 2026, are architecturally sound but analytically incomplete. ACS introduces inline, pre-action enforcement at key execution checkpoints — such as tool calls, planning-to-execution transitions, and sub-agent invocations. This is a clear improvement over earlier approaches that relied primarily on system prompts and platform-native configurations.

However, the report highlights a deeper structural issue: goal-directed agents sever the clean authorization chain that traditional identity and access management systems assume. A human authorizes a goal, but the agent infers the specific actions required to achieve it. Some of those actions may be unexpected or outside the original intent. As a result, the question “Who authorized this specific action?” often has no clear answer, because authorization existed only at the goal level.

This creates what the report calls an accountability chain break. Modern observability tools can capture what an agent did and why it made certain decisions, but they cannot validate those actions against an external authorization record that was never created in the first place.

The implications are significant. As enterprises move from bounded, deterministic agent workflows toward more open-ended, goal-directed systems, governance programs built solely around runtime enforcement will leave a persistent tail of ungoverned risk. The report argues that organizations should stop optimizing for universal coverage — an outcome platform economics make structurally unlikely — and instead focus on shrinkage: continuously reducing ungoverned exposure below an existential threshold.

This reframing has major consequences for how vendors position their solutions and how enterprises design their governance programs. It also points to a durable market opportunity in cross-platform aggregation layers that sit above fragmented hyperscaler and SaaS registries.

Key Findings

  • The Agent Control Standard (ACS), launched in May 2026, represents a structurally sound advance in runtime enforcement but does not address the core accountability gap created by goal-directed agents, where authorization exists only at the goal level rather than at the individual action level.

  • Goal-directed agents fundamentally break the authorization model assumed by traditional identity and access management systems, as agents can infer and execute actions that were never explicitly authorized by a human, creating an accountability chain that cannot be reconstructed after the fact.

  • Platform economics strongly favor fragmentation over convergence in the governance layer, as agent catalogs, lifecycle policies, and audit surfaces serve as mechanisms for platform stickiness, making universal adoption of any single governance standard structurally unlikely.

  • Organizations that continue to design governance programs around the goal of universal coverage are optimizing for an outcome that platform economics and agent architecture make unrealistic, leading to persistent residual risk even after controls are deployed.

  • The correct strategic target for enterprise agent governance is shrinkage — the continuous reduction of ungoverned exposure below an existential threshold — rather than the elimination of all ungoverned activity, which is neither technically nor economically achievable at scale.

  • Runtime enforcement layers such as ACS are necessary but analytically insufficient because they operate on actions the agent is about to take, while the accountability problem originates one layer upstream in the gap between goal-level authorization and action-level auditability.

  • Most enterprise governance programs over the next 18 months will be calibrated to satisfy regulatory and peer signaling requirements rather than to deliver genuine security outcomes, creating a widening gap between documented posture and actual governance capability.

  • The absence of a hard regulatory deadline for agent governance has made it easy for organizations to defer investment, but governance debt is accumulating rapidly as agents are deployed without proper inventorying, authorization scoping, or procurement disclosure requirements.

  • A durable market opportunity exists for vendors that position themselves as neutral aggregation layers above fragmented hyperscaler and SaaS platform registries, as no single platform has the structural incentive to provide cross-platform visibility on neutral terms.

  • Goal-scoped authorization can reduce risk for many current agent deployments, but it has clear limits with genuinely open-ended goals, where retrospective evaluation remains judgmental rather than deterministic, reinforcing the need for shrinkage as the primary success metric.

  • Procurement contracts that fail to require disclosure of agent capabilities are contributing to information asymmetry in the market, making it difficult for buyers to distinguish between genuinely well-scoped agents and those that merely claim to be.

  • Organizations that build governance programs now with an honest focus on shrinkage and continuous reduction of ungoverned exposure will be materially better positioned than those that wait for ecosystem convergence or regulatory mandates to force action.

What the Report Covers

This Futurum Group report examines why current approaches to agent governance are falling short and argues that the industry is underestimating a fundamental structural problem. It begins by analyzing the Agent Control Standard (ACS), launched in May 2026, and positions it as a meaningful but incomplete step forward. The report explains how ACS introduces inline, pre-action enforcement at key execution checkpoints, but argues that it cannot resolve the deeper accountability gap created by goal-directed agents.

The analysis then explores the difference between traditional, bounded agent workflows and truly goal-directed agents. It details how goal-level human authorization fails to propagate to the specific actions agents take at runtime, creating an unbridgeable gap between what was authorized and what actually occurs. The report contrasts this with RPA-style systems, where actions are known and authorized at design time.

A significant portion of the report is dedicated to platform economics. It explains why governance-layer standards are unlikely to achieve the same level of convergence seen in communication protocols like MCP and A2A. The author argues that agent catalogs, lifecycle policies, and audit surfaces are competitive assets, making fragmentation a permanent feature rather than a temporary maturity gap.

The report also covers the current vendor landscape, categorizing players into specialist startups, established identity providers, and large security platforms. It discusses the limitations of relying solely on runtime enforcement and introduces the concept of shrinkage as the correct organizational objective. Finally, it outlines the market opportunity for cross-platform aggregation layers and warns about the growing gap between governance signals and actual governance capability.

Our Take

AI Governance Take

The core message of this report is uncomfortable but important: most organizations are currently governing agentic AI the wrong way. They are investing heavily in runtime controls and policy engines while largely ignoring the harder problem of authorization. This creates a false sense of progress. Controls can prevent an agent from taking an action in the moment, but they cannot fix the fact that no one may have properly authorized that action in the first place.

The report makes a compelling case that platform economics will keep governance fragmented across hyperscalers and SaaS platforms. Waiting for a single universal control layer to emerge is not a strategy — it is a form of denial. Enterprises that continue to chase “complete coverage” will either overpay for solutions that overpromise or be left exposed when something goes wrong.

The practical implication is clear: organizations need to shift from an elimination mindset to a shrinkage mindset. This means accepting that some level of ungoverned exposure will always exist and focusing instead on continuously reducing it, especially around high-blast-radius agents. It also means demanding better prospective authorization models from vendors, not just better detection and blocking after the fact.

For governance teams, this report should serve as a reset. The real work is not just deploying more controls. It is redesigning how authorization, accountability, and oversight are structured for systems that can act in ways their creators did not explicitly define. Those who internalize this now will build programs that actually reduce risk. Those who do not will continue to accumulate governance debt until an incident forces a much more expensive correction.

Related Articles

The State of AI in the Enterprise A Deloitte report Governance Research

Mar 3, 2026

The State of AI in the Enterprise A Deloitte report

Read More
ValidMind Publishes Governing Agentic AI in Financial Services Governance Research

Mar 30, 2026

ValidMind Publishes Governing Agentic AI in Financial Services

Read More
MIND and CISO ExecNet Research Report: Data Trust Is the Decisive Factor in AI Success Governance Research

Apr 9, 2026

MIND and CISO ExecNet Research Report: Data Trust Is the Decisive Factor in AI Success

Read More

Stay ahead of Industry Trends with our Newsletter

Get expert insights, regulatory updates, and best practices delivered to your inbox